I wouldn't be worried: http://www.robertgraham.com/pubs/firewall-seen.html#port137 Are the source ports 137 as well? A 137->137 packet is almost certainly a request from a Windows machine, or a response. For example, you might have a machine internally sending out NetBIOS requests, and these might be the responses. Alternatively, for some reason, these might be Windows machines trying to do a reverse DNS lookup on your machine. If the DNS server doesn't respond in a timely manner, Windows machines will give up and try a NetBIOS query to resolve your name. This is part of Microsoft's Winsock implementation, so it is an OS thing rather than an application thing. I know this is weird advice: check your DNS server, it may fix the problem. In any event, grab a packet sniffer (like tcpdump, which is probably installed by default on your Linux box) and capture the packets to a file. If you send me the file; I could probably figure out what these NetBIOS packets are looking for (warning: you would be disclosing sensitive info if you did this). Rob. --- Joerg Walter <joerg.walterat_private> wrote: > Hi folks, > I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0, > Kernel 2.2.12-20). There are lots of connect-attempts to this machine to Port > 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm > wondering, since the source of these packets are addresses throughout Europe > and they doesn't seem to be broadcasts (destination address is exactly that > machine). > We have some other Firewalls set up just the same on the same network and > they don't get these packets... > > Is this something to be worried about? ===== Robert Graham http://www.robertgraham.com/pubs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:33 PDT